Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-31052

Good to know:

icon
icon

Date: June 28, 2022

Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an error for the request causing the problem, but in other cases the Synapse process may crash altogether. It is possible to exploit this maliciously, either by malicious users on the homeserver, or by remote users sending URLs that a local user's client may automatically request a URL preview for. Remote users are not able to exploit this directly, because the URL preview endpoint is authenticated. Deployments with `url_preview_enabled: false` set in configuration are not affected. Deployments with `url_preview_enabled: true` set in configuration **are** affected. Deployments with no configuration value set for `url_preview_enabled` are not affected, because the default is `false`. Administrators of homeservers with URL previews enabled are advised to upgrade to v1.61.1 or higher. Users unable to upgrade should set `url_preview_enabled` to false.

Language: Python

Severity Score

Related Resources (9)

https://nvd.nist.gov/vuln/detail/CVE-2022-31052
https://github.com/matrix-org/synapse/commit/fa1308061802ac7b7d20e954ba7372c5ac292333
https://security.alpinelinux.org/vuln/CVE-2022-31052
https://spec.matrix.org/v1.2/client-server-api/#get_matrixmediav3preview_url
https://security-tracker.debian.org/tracker/CVE-2022-31052
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF/
https://github.com/matrix-org/synapse/security/advisories/GHSA-22p3-qrh9-cx32
https://www.mend.io/vulnerability-database/CVE-2022-31052

Severity Score

Weakness Type (CWE)

Uncontrolled Recursion

CWE-674

Top Fix

icon

Upgrade Version

Upgrade to version matrix-synapse - 1.61.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): SINGLE
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us